How Does CA ACF2 for z/VM Work? › Centralized and Decentralized Security Administration
Centralized and Decentralized Security Administration
CA ACF2 for z/VM enables your site to select centralized or decentralized security administration. You can combine several CA ACF2 for z/VM features to create a centralized or decentralized environment.
In a centralized environment, one security administrator may be responsible for creating and maintaining all the CA ACF2 for z/VM rules and records. To decentralize this environment, the security administrator can delegate administrative duties in the following ways:
- He can create several scoped account managers who have the ACCOUNT field specified in their logonid records. He then creates scope records for each of these account managers so that they can create or modify only logonids for their groups.
- He can grant the scoped security administrator the ability to delete, update, and create rules. By specifying the %CHANGE parameter and a UID mask in the rule sets that control access to the group’s data, the scoped security administrator can change the rule sets.
- He can further decentralize the environment by specifying the %RCHANGE parameter and a UID mask for the users that need to add, delete, or change specific rule entries in a rule set. The %RCHANGE privilege enables those users to change the rule entries.
- Also, CA ACF2 for z/VM can force these scoped security administrators to perform changes to CA ACF2 for z/VM records only during a specific shift or from a particular entry source.
Copyright © 2009 CA Technologies.
All rights reserved.
|
|